Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

An arithmetic device includes an input unit inputting data that are
elements of a group; a converting unit is configured, when the input data
are in a second representation, to convert the input data into a first
representation and to perform arithmetic operation on the converted first
representation using an operand in the first representation in which at
least one subcomponent is a zero element to convert the converted first
representation into first converted data expressed in the first
representation, and when the input data are in the first representation,
to perform arithmetic operation on the input data using the operand in
the first representation in which at least one subcomponent is a zero
element to convert the input data into second converted data expressed in
the first representation; and an operating unit that performs arithmetic
processing on the first or the second converted data using secret
information.

Claims:

1. An arithmetic device that performs arithmetic processing on elements
of a group by using secret information, wherein the elements of the group
are expressed at least in a first representation and in a second
representation, in which an element expressed by the first representation
is constituted by a plurality of components each including a plurality of
subcomponents, and one element of the group expressed in the second
representation has a plurality of corresponding first representations,
and an element expressed in the first representation obtained by
performing arithmetic operation on an element expressed in the first
representation by using an operand having the same group structure as a
component included in the first representation represents the same
element of the group as that before the arithmetic operation using the
operand, the arithmetic device comprising: an input unit configured to
input input data that are elements of the group; a converting unit
configured to: when the input data are in the second representation,
convert the input data into the first representation, and perform
arithmetic operation on the converted first representation by using the
operand in the first representation in which at least one subcomponent is
a zero element to convert the converted first representation into first
converted data expressed in the first representation, and when the input
data are in the first representation, perform arithmetic operation on the
input data by using the operand in the first representation in which at
least one subcomponent is a zero element to convert the input data into
second converted data expressed in the first representation; and an
operating unit configured to perform arithmetic processing on the first
converted data or the second converted data by using secret information.

2. The arithmetic device according to claim 1, wherein a position of the
subcomponent that is the zero element included in the operand used by the
converting unit is set in advance, and the converting unit omits the
arithmetic operation for the zero element included in the operand.

3. The arithmetic device according to claim 2, further comprising an
operand generating unit configured to generate the operand in which at
least one subcomponent is a zero element, wherein the converting unit
converts the input data into the first representation by using the
operand generated by the operand generating unit.

4. The arithmetic device according to claim 3, wherein the input data are
encrypted data obtained by encryption according to an encryption scheme
based on a discrete logarithm problem of the group and expressed in the
second representation, the converting unit converts the encrypted data
into the first representation by using an operand generated by selecting
at least one of the subcomponents of the operand, and the operating unit
calculates plain data by performing predetermined decryption according to
the encryption scheme on the encrypted data converted into the first
representation by using the secret information.

5. The arithmetic device according to claim 4, wherein the encryption
scheme is based on the discrete logarithm problem of the group that is an
algebraic torus, and the first representation is a projective
representation while the second representation is an affine
representation.

6. An arithmetic method for performing arithmetic processing on elements
of a group by using secret information, wherein the elements of the group
are expressed at least in a first representation and in a second
representation, in which an element expressed by the first representation
is constituted by a plurality of components each including a plurality of
subcomponents, and one element of the group expressed in the second
representation has a plurality of corresponding first representations,
and an element expressed in the first representation obtained by
performing arithmetic operation on an element expressed in the first
representation by using an operand having the same group structure as a
component included in the first representation represents the same
element of the group as that before the arithmetic operation using the
operand, the arithmetic method comprising: inputting input data that are
elements of the group; when the input data are in the second
representation, converting the input data into the first representation,
and performing arithmetic operation on the converted first representation
by using the operand in the first representation in which at least one
subcomponent is a zero element to convert the converted first
representation into first converted data expressed in the first
representation, and when the input data are in the first representation,
performing arithmetic operation on the input data by using the operand in
the first representation in which at least one subcomponent is a zero
element to convert the input data into second converted data expressed in
the first representation; and performing arithmetic processing on the
first converted data or the second converted data by using secret
information.

7. The arithmetic method according to claim 6, wherein a position of the
subcomponent that is the zero element included in the operand used by the
converting is set in advance, and the converting omits the arithmetic
operation for the zero element included in the operand.

8. The arithmetic method according to claim 7, further comprising an
operand generating to generate the operand in which at least one
subcomponent is a zero element, wherein the converting converts the input
data into the first representation by using the operand generated by the
operand generating.

9. The arithmetic method according to claim 8, wherein the input data are
encrypted data obtained by encryption according to an encryption scheme
based on a discrete logarithm problem of the group and expressed in the
second representation, the converting converts the encrypted data into
the first representation by using an operand generated by selecting at
least one of the subcomponents of the operand, and the performing
calculates plain data by performing predetermined decryption according to
the encryption scheme on the encrypted data converted into the first
representation by using the secret information.

10. The arithmetic method according to claim 9, wherein the encryption
scheme is based on the discrete logarithm problem of the group that is an
algebraic torus, and the first representation is a projective
representation while the second representation is an affine
representation.

11. A program product having a computer readable medium including
programmed instructions for performing arithmetic processing on elements
of a group by using secret information, wherein the elements of the group
are expressed at least in a first representation and in a second
representation, in which an element expressed by the first representation
is constituted by a plurality of components each including a plurality of
subcomponents, and one element of the group expressed in the second
representation has a plurality of corresponding first representations,
and an element expressed in the first representation obtained by
performing arithmetic operation on an element expressed in the first
representation by using an operand having the same group structure as a
component included in the first representation represents the same
element of the group as that before the arithmetic operation using the
operand, and wherein the instructions, when executed by a computer, cause
the computer to perform: inputting input data that are elements of the
group; when the input data are in the second representation, converting
the input data into the first representation, and performing arithmetic
operation on the converted first representation by using the operand in
the first representation in which at least one subcomponent is a zero
element to convert the converted first representation into first
converted data expressed in the first representation, and when the input
data are in the first representation, performing arithmetic operation on
the input data by using the operand in the first representation in which
at least one subcomponent is a zero element to convert the input data
into second converted data expressed in the first representation; and
performing arithmetic processing on the first converted data or the
second converted data by using secret information.

12. The program product according to claim 11, wherein a position of the
subcomponent that is the zero element included in the operand used by the
converting is set in advance, and the converting omits the arithmetic
operation for the zero element included in the operand.

13. The program product according to claim 12, wherein the instructions
cause the computer to further perform an operand generating to generate
the operand in which at least one subcomponent is a zero element, and the
converting converts the input data into the first representation by using
the operand generated by the operand generating.

14. The program product according to claim 13, wherein the input data are
encrypted data obtained by encryption according to an encryption scheme
based on a discrete logarithm problem of the group and expressed in the
second representation, the converting converts the encrypted data into
the first representation by using an operand generated by selecting at
least one of the subcomponents of the operand, and the performing
calculates plain data by performing predetermined decryption according to
the encryption scheme on the encrypted data converted into the first
representation by using the secret information.

15. The program product according to claim 14, wherein the encryption
scheme is based on the discrete logarithm problem of the group that is an
algebraic torus, and the first representation is a projective
representation while the second representation is an affine
representation.

Description:

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application is a continuation of PCT international application
Ser. No. PCT/JP2009/066439 filed on Sep. 18, 2009, which designates the
United States; the entire contents of which are incorporated herein by
reference.

FIELD

[0002] Embodiments described herein relate generally to arithmetic
processing using secret information, which is performed on elements of a
subgroup of a multiplicative group.

BACKGROUND

[0003] In recent years, adversaries have been growing their abilities with
the progress in computers, and the size of cryptosystems for making
cryptanalysis difficult is increasing year after year. The increase in
the size of security parameters of cryptosystems is an issue when public
key cryptography is employed in small devices that do not have sufficient
memory capacities and communication bands.

[0004] Accordingly, compressed encryption technologies for compressing the
size of public keys and the size of encrypted data in public key
cryptography have been proposed (see, for example, K. Rubin and A.
Silverberg, "Torus-Based Cryptography", CRYPTO 2003, Springer LNCS 2729,
pp. 349-365, 2003). The compressed encryption technologies are based on
the fact that elements of a set can be represented by a small number of
bits by using a subset called an algebraic torus among sets of elements
used in public key cryptography. In addition, technologies using
additional input for converting elements of a set into a representation
with a small number of bits are known as technologies for increasing the
compression ratio (see, for example, M. van Dijk and D. Woodruff,
"Asymptotically Optimal Communication for Torus-Based Cryptography",
CRYPTO 2004, Springer LNCS 3152, pp. 157-178, 2004).

[0005] In addition, in recent years, security against unauthorized attacks
such as side channel attacks attempting code-breaking of secret
information through power analysis or electromagnetic analysis or the
like may be lowered in public key cryptosystems (see, for example, J. S.
Coron, "Resistance Against Differential Power Analysis for Elliptic Curve
Cryptosystems", CHES1999, Springer LNCS1717, pp. 292-302, 1999). In
Furuta et al., "Projective Representation Randomization against DPA in
Torus-Based Cryptosystems", Proceedings of the Institute of Electronics,
Information and Communication Engineers General Conference A-7-6, 2009,
measures are taken against side channel attacks through differential
power analysis (DPA) by randomizing projective representations of ciphers
using algebraic tori.

[0006] However, the computational cost of multiplication performed in the
course of randomly selecting elements of an algebraic torus is large in
the measures using algebraic tori against side channel attacks as in
"Projective Representation Randomization against DPA in Torus-Based
Cryptosystems" described above.

BRIEF DESCRIPTION OF THE DRAWINGS

[0007]FIG. 1 is a diagram illustrating an outline of an encryption
processing system according to an embodiment;

[0008]FIG. 2 is a block diagram of a decryption device according to the
embodiment;

[0009]FIG. 3 is an explanatory diagram illustrating procedures for the
Cramer-Shoup encryption scheme;

[0010]FIG. 4 is a flowchart illustrating an overall flow of decryption
processing according to the embodiment; and

[0011]FIG. 5 is a diagram illustrating a hardware configuration of the
decryption device according to the embodiment.

DETAILED DESCRIPTION

[0012] In general, according to one embodiment, an arithmetic device
includes an input unit inputting data that are elements of a group. The
elements of the group are expressed at least in a first representation
and in a second representation, in which an element expressed by the
first representation is constituted by a plurality of components each
including a plurality of subcomponents, and one element of the group
expressed in the second representation has a plurality of corresponding
first representations. A converting unit is configured to: when the input
data are in the second representation, convert the input data into a
first representation, and perform arithmetic operation on the converted
first representation using an operand in the first representation in
which at least one subcomponent is a zero element to convert the
converted first representation into first converted data expressed in the
first representation, and when the input data are in the first
representation, perform arithmetic operation on the input data using the
operand in the first representation in which at least one subcomponent is
a zero element to convert the input data into second converted data
expressed in the first representation. The device further includes an
operating unit that performs arithmetic processing on the first or the
second converted data using secret information.

[0013] Embodiments of a device, a method and a program will be described
below in detail with reference to the accompanying drawings. Description
will be given below of an example in which an arithmetic device for
performing arithmetic processing using secret information (arithmetic
device based on secret information) is implemented as a decryption device
for decrypting, by using secret information, encrypted data resulting
from encryption according to an encryption and compression technology
using algebraic tori.

[0014] Secret information refers to any non-public information present
during arithmetic processing. In ElGamal encryption, for example,
messages present during encryption processing, random numbers that are
randomly generated, and the like are also included in secret information
in addition to secret keys. Hash values and the like present during
processing are also included in secret information depending on the
encryption scheme. Public keys and the like, on the other hand, are not
non-public information and thus not included in secret information.

[0015] Note that the applicable device is not limited to a decryption
device, and any device performing arithmetic processing by using secret
information on elements of a subgroup of a multiplicative group can be
applied. For example, the technique of the embodiment can also be applied
to a device for generating a signature by using secret key data.

[0016] In general, a field in which a set of elements is finite among
fields that are sets of elements over which four arithmetic operations
are defined is called a finite field. In addition, it is known that the
number of elements included in a finite field is a prime number or a
power of a prime number. Such fields are called a prime field and an
extension field, respectively. An algebraic torus used in the compressed
encryption technologies is a subgroup of a multiplicative group in an
extension field.

[0017] There are three types of representations of an algebraic torus,
which are an extension field representation, a projective representation
and an affine representation. In the compressed encryption technologies
of the related art using algebraic tori, an encryption device first
associates a message with elements of an algebraic torus in the extension
field representation. Next, the encryption device performs calculation on
the extension field representation to calculate encrypted data, converts
the encrypted data into the affine representation that is compressed, and
transmits the compressed encrypted data to a decryption device. The
decryption device converts the received encrypted and compressed data
into the extension field representation, and performs calculation on the
extension field representation to decrypt into plain data.

[0018] On the other hand, a decryption device according to the embodiment
first converts the encrypted and compressed data represented in the
affine representation to the projective representation instead of the
extension field representation, and performs calculation thereon. In this
process, a plurality of conversion maps for converting the affine
representation into projective representations different from one another
are prepared, and the affine representation is converted into the
projective representation by using one conversion map randomly selected
therefrom.

[0019] This increases the randomness of decryption processing and enhances
the security. Specifically, since the waveform is not uniform, the risk
that secret information is decoded is lowered even under side channel
attacks or the like attempting to code-breaking the secret information
through electromagnetic analysis or the like.

[0020] Here, an outline of an encryption processing system according to
the embodiment will be described with reference to FIG. 1. FIG. 1 is a
diagram illustrating the outline of the encryption processing system
according to the embodiment. As illustrated in FIG. 1, the encryption
processing system according to the embodiment includes an encryption
device 200 and an arithmetic device 100 configured to perform arithmetic
operations based on secret information.

[0021] The encryption device 200 generates encrypted data obtained by
encrypting plain data according to the public key cryptosystems based on
the discrete logarithm problem in algebraic torus having a group
structure, compresses the generated encrypted data into the affine
representation, and sends the affine representation to the arithmetic
device 100.

[0022] Upon receiving the encrypted data expressed in the affine
representation, the arithmetic device 100 converts the affine
representation of the encrypted data into any of a plurality of
corresponding projective representations that is selected according to a
random number. The arithmetic device 100 then performs arithmetic
operation by using the projective representation resulting from the
conversion, and outputs plain data that are a element g of the algebraic
torus as the operation result.

[0023] The decryption device of the related art converts the affine
representation into one corresponding projective representation for
arithmetic operation. In contrast, in the embodiment, the affine
representation can be converted into the projective representation that
is selectively determined from a plurality of projective representations
to perform the arithmetic operation as illustrated in FIG. 1. As a
result, it is possible to increase the randomness of the cryptosystems
using the algebraic torus that is one of arithmetic processing using
secret information.

[0024] Next, a configuration of the arithmetic device 100 according to the
embodiment will be described. FIG. 2 is a block diagram illustrating an
exemplary configuration of the arithmetic device 100 according to the
embodiment. The arithmetic device 100 is a device configured to restore
encrypted data obtained by encryption according to the public key
cryptosystems using an algebraic torus. As illustrated in FIG. 2, the
arithmetic device 100 includes an input unit 101, a dividing unit 102, an
operand generating unit 103, an operation control unit 110 and a storage
unit 104.

[0025] The input unit 101 inputs input data such as encrypted and
compressed data sent from the encryption device 200 and secret key data
according to the public key cryptosystems to be used for decryption. The
storage unit 104 stores the input encrypted and compressed data, secret
key data and the like. The storage unit 104 may be formed by any commonly
used storage medium such as a hard disk drive (HDD), an optical disc, a
memory card, and a random access memory (RAM).

[0026] The dividing unit 102 divides the input encrypted and compressed
data into a plurality of partial data pieces in units for decryption
processing. For example, the dividing unit 102 divides the encrypted and
compressed data into partial data pieces having a predetermined size.
Note that the method for division is not limited thereto. Alternatively,
the arithmetic device 100 may be configured not to divide the encrypted
and compressed data therein. For example, the encryption device 200 may
be configured to divide plain data into partial data pieces and send a
plurality of encrypted and compressed data pieces resulting from
encrypting and compressing the partial data pieces. In this case, the
arithmetic device 100 may perform decryption processing in units of the
plurality of encrypted and compressed data pieces.

[0027] The operand generating unit 103 generates a multiplier k that is an
operand required for converting the representation by a converting
section 111 (described later). The multiplier k may be provided in a
table in advance or may be determined by generating a random number and
based on the random number.

[0028] The operation control unit 110 controls arithmetic processing based
on secret information. In the embodiment, the operation control unit 110
performs decryption processing of encrypted data. The operation control
unit 110 includes the converting section 111, an arithmetic processing
section 112 and a determining section 113.

[0029] The converting section 111 mutually converts the representations of
various data used in decryption processing. For example, the converting
section 111 mutually converts the data representation between a first
representation and a second representation. An element of a group
expressed in the second representation has a plurality of first
representations. As a more specific example, the converting section 111
converts encrypted data compressed into the affine representation that is
the second representation to the projective representation that is the
first representation. In addition, the converting section 111 converts
plain data resulting from decryption in the projective representation
into the affine representation.

[0030] Note that the first and second representations are not limited to
the projective representation and the affine representation,
respectively. For example, other representations satisfying the
aforementioned relation may be applied to the first and second
representations.

[0031] Here, details of representations and a method for conversion
between the representations used in the embodiment will be described.
First, definitions of terms used in the embodiment will be explained.

[0032] (Definition 1)

[0033] A field having a finite number of elements is called a finite field
and represented by Fp, where p is a prime number. An element of the
finite field Fp is represented by a non-negative integer satisfying
the following expression (1).

aεFp(0≦a≦p-1) (1)

[0034] (Definition 2)

[0035] An element of a finite field (hereinafter written as Fp m)
expressed by the following expression (2) is expressed by a (m-1)-th
order polynomial (m is a positive integer) having a coefficient in the
finite field Fp as expressed by the following expression (3).
Hereinafter, z represents an indeterminate element of the polynomial.

[0037] An element of a finite field (hereinafter written as F.sub.(p m) 3)
expressed by the following expression (4) is expressed by a second-order
polynomial having a coefficient in the finite field Fp m as
expressed by the following expression (5). Hereinafter, y represents an
indeterminate element of the polynomial.

F.sub.(pm.sub.)3 (4)

α=a0+a1y+a2y2εF.sub.(pm.sub.).sub-
.3, aiεFpm (5)

[0038] (Definition 4)

[0039] An algebraic torus is expressed by the following expression (6)
(hereinafter written as T6(Fp m)).

T6(Fpm) (6)

[0040] (Definition 5)

[0041] An element of the algebraic torus T6(Fp m) is expressed
by using α, βεF.sub.(p m) 3 as in the following
expression (7). In the expression (7), α+βx represents an
element of a finite field F.sub.(p m) 6, and is expressed by a
first-order polynomial having a coefficient in the finite field F.sub.(p
m) 3. "x" represents an indeterminate element of the polynomial. When
α and β satisfy the condition of the expression (7), the
projective representation is simply expressed as in the following
expression (8). Note that a variable c attached with a symbol "'" refers
to data represented in the projective representation.

[0043] An element other than an identity element of an algebraic torus
expressed by the following expression (9) is expressed using c0 and
c1 satisfying the following expression (10). The following
expression (11) represents a multiplicative group of the finite field
Fp m constituted by members of the finite field other than zero
elements. In addition, w in the expression (10) represents an element of
the multiplicative group of the expression (11), and is a value
determined in advance taking the calculation efficiency and the like into
account. When c0 and c1 satisfy the expression (10), the affine
representation is simply expressed as in the following expression (12).
Note that a variable c attached with a symbol "*" refers to data
represented in the affine representation.

[0044] Conversion processing between representations performed by the
converting section 111 will be described based on the above-described
definitions. First, a map (reference map) that is a reference for a
plurality of maps for converting an affine representation into a
projective representation by the converting section 111 will be
described.

[0045] The reference map is a map to which an affine representation
expressed by the following expression (13) is input and which outputs a
projective representation expressed by the expression (14). More
specifically, the reference map converts the affine representation into
the projective representation by replacing the aforementioned expression
(10) that is a fractional expression of the affine representation with
the aforementioned expression (8) that is a fractional expression of the
projective representation according to procedures expressed by the
following expression (15). Note that the procedures 5 and 6 in the
expression (15) mean that the values of b1 and b2 are set to
zero elements of the finite field Fp .

[0046] In the expression, w represents a constant part of a modulus
polynomial determining the finite field F.sub.(p m) 3.

[0047] Next, a map with which the converting section 111 converts a
projective representation into an affine representation will be
described. The converting section 111 receives the projective
representation expressed by the following expression (16) as an input and
outputs the affine representation expressed by an expression (17) to
convert the projective representation into the affine representation.
More specifically, the converting section 111 converts the projective
representation into the affine representation according to procedures
expressed by the following expression (18). Note that the procedure 1 in
the expression (18) means that the values of c0 and c1 are set
to zero elements of Fp m when β is a zero element of the finite
field F.sub.(p m) 3.

[0048] In the embodiment, a conversion map that outputs a projective
representation obtained by multiplying the projective representation
output from the reference map described with reference to the expressions
(13) to (15) by the multiplier k that is an element of F.sub.(p m) 3 is
defined and used. Specifically, the operand generating unit 103
determines a multiplier k that is an element of the finite field F.sub.(p
m) 3x ("x" means elements not including zero elements), and
outputs a projective representation (kα, kβ) obtained by
multiplying the projective representation (α, β) output from
the reference map by k.

[0049] Note that α, β and the multiplier k are elements of the
finite field F.sub.(p m) 3 as already described. Accordingly, the
multiplication of the finite field F.sub.(p m) 3 needs to be performed
twice so as to calculate (kα, kβ), which results in a high
computational cost.

[0050] The calculation of (kα, kβ) will be more specifically
described here. First, the finite field Fp, the finite field
F.sub.(p m) and the finite field F.sub.(p m) 3 are defined as in the
following expressions (19-1) to (19-3).

aijβFp (19-1)

aiεFpm (19-2)

αεF.sub.(pm.sub.)3 (19-3)

[0051] An element ai of the finite field F.sub.(p m) can be expressed
by a polynomial having m elements of the finite field Fp as
components as in the following expression (20).

[0052] Furthermore, the element α of the finite field F.sub.(p m) 3
has the element ai of the finite field F.sub.(p m) as a component.
Thus, the element α of the finite field F.sub.(p m) 3 can be
expressed by a polynomial using 3 m elements of the finite field Fp
as in the following expression (21).

[0053] Therefore, the multiplication of the finite field F.sub.(p m) 3 is
as in the following expression (22), and it can be seen that the
multiplication corresponding to 9 m2 times of that for the finite
field Fp needs to be performed. According to this artless method,
multiplication corresponding to twice this multiplication, that is,
multiplication corresponding to 18 m2 times of that for the finite
field Fp needs to be performed for the calculation of (kα,
kβ).

[0054] Here, when an element in a certain finite field A is expressed by a
polynomial having an element of another finite field B in each term, the
terms are referred to as components of the finite field A. In addition,
when each term of the finite field B is further expressed by a polynomial
or a monomial in which terms include components of still another finite
field C and are components of the finite field B, these terms are
referred to as subcomponents of the finite field A.

[0055] In the example described above, the element α of the finite
field F.sub.(p m) 3 has the element ai of the finite field F.sub.(p
m) as a component, and the element ai of the finite field F.sub.(p
m) has m elements of the finite field Fp as components. Therefore,
the components of the finite field F.sub.(p m) are subcomponents of the
finite field F.sub.(p m) 3.

[0056] On the other hand, if side channel attacks identify only one bit,
it is also effective as a measure against the side channel attacks to
obtain (kα, kβ) by selecting a subcomponent from members of
the finite field Fp mx or the finite field Fpx, and
using the multiplier k in which the remaining subcomponents are set to
zero elements. In order to reduce the computational cost for the measure
against the side channel attacks, subcomponents constituting the finite
field F.sub.(p m) 3 include zero elements and arithmetic operations
relating to the zero elements are not performed in the embodiment.

[0057] Then, the converting section 111 performs multiplication by using
the multiplier k generated by the operand generating unit 103 and
including zero elements in the subcomponents to converts the affine
representation into the projective representation.

[0058] Note that any projective representation obtained by multiplication
by the multiplier k corresponds to one affine representation. This is
because the multiplier k is balanced out as a result of dividing α
by β for obtaining a value γ in the procedure 2.1 in the
expression (18). Accordingly, all the results of arithmetic operations
using the projective representation obtained by multiplication by any
multiplier k are the same in the affine representation.

[0059] The arithmetic processing section 112 performs arithmetic
processing on encrypted data converted into the projective representation
by the converting section 111 by using secret information. More
specifically, the arithmetic processing section 112 performs decryption
processing based on the discrete logarithm problem in a finite field on
encrypted data by using secret key data to calculate plain data. Still
more specifically, the arithmetic processing section 112 performs
decryption processing on encrypted data by using a plurality of times of
exponentiation or multiplication, or a hash function H using the
encrypted data as an input value according to the Cramer-Shoup encryption
scheme to output plain data. Note that the arithmetic processing section
112 may be configured to employ other encryption schemes such as the
ElGamal encryption.

[0060] The Cramer-Shoup encryption scheme will be described here. FIG. 3
is an explanatory diagram illustrating procedures for encryption and
decryption according to the Cramer-Shoup encryption scheme. In FIG. 3, q
represents a prime number, g represents a generator of a group G (the
order thereof is q) in which a cipher is defined, and g˜, e, f and
h are members of the group G. The plain data m is also a member of G. r
represents a random number that is randomly generated.

[0061] In encryption processing 601, encrypted data (ct1, ct2,
ct3, ct4) corresponding to the plain data m are calculated by
expressions (23-1) to (23-4) described below and in FIG. 3. Here, H( ) in
the expression (23-3) represents a hash function, and the encrypted data
are input to the hash function H( ) to obtain a hash value v. The secret
key is an integer from 0 to q-1.

[0062] r: randomly generated

ct1grct2g˜rbhr (23-1)

ct3bm (23-2)

vH(ct1, ct2, ct3) (23-3)

ct4erfgrv (23-4)

[0063] In decryption processing 602, it is checked whether or not plain
data are valid based on a secret key (x1, x2, y1, y2,
z1, z2) and the encrypted data (ct1, ct2, ct3,
ct4) by expressions (24-1) to (24-6) described below and in FIG. 3,
and the plain data m are calculated. Here, the secret key (x1,
x2, y1, y2, z1, z2) is an integer from 0 to q-1.
In addition, ctε?G (or G˜) means to determine whether or
not ct belongs to the group G (or the group G˜).

[0064] r: randomly generated

(ct1, ct2, ct3, ct4)ε?G˜ (24-1)

(ct1, ct2, ct3)ε?G (24-2)

bct1.sup.z1ct2z2 (24-3)

mct3b-1 (24-4)

vH(ct1, ct2, ct3) (24-5)

ct4=?ct1x1+y1vct2x2+y2v (24-6)

[0065] As described above, note that secret information that can be a
target of code-breaking by side channel attacks or the like includes b
(expression (24-3)) appearing during the calculation, a random number r,
a hash value v, and the like in addition to the secret key (x1,
x2, y1, y2, z1, z2).

[0066] Referring back to FIG. 2, the determining section 113 determines
the validity of the encrypted data. For example, the determining section
113 determines whether or not the elements of the encrypted data are
members of a correct group. In addition, the determining section 113
calculates a hash value of the input encrypted data, compares a value
calculated using the calculated hash value and a predetermined component
of the input encrypted data, and determines the validity of the encrypted
data depending on whether the value and the component are coincident.

[0067] Next, decryption processing by the arithmetic device 100 according
to the embodiment configured as described above will be described with
reference to FIG. 4. FIG. 4 is a flowchart illustrating an overall flow
of the decryption processing according to the embodiment.

[0068] First, the input unit 101 inputs encrypted data that are encrypted
according to the Cramer-Shoup encryption scheme described above and
compressed into an affine representation (encrypted and compressed data)
(step S501). For example, the input unit 101 inputs, from the storage
unit 104, encrypted and compressed data received from the encryption
device 200 and stored in the storage unit 104.

[0069] In the next step S502, the dividing unit 102 divides the input
encrypted and compressed data into a plurality of partial data pieces. In
the following, the partial data pieces are represented by four components
(ct1*, ct2*, ct3*, ct4*). In the following, note that
a variable attached with a symbol "*" refers to data represented in the
affine representation similarly to the expression (8) and the expression
(12) described above. In addition, a variable attached with a symbol "'"
refers to data represented in the projective representation.

[0070] In the next step S503, the operation control unit 110 obtains an
unprocessed partial data piece. In the next step S504, the determining
section 113 determines whether or not each of ct1*, ct2*,
ct3* and ct4* that are components (elements) of the obtained
partial data pieces is a member of a correct group. Specifically, in step
S504, the determining section 113 determines whether or not (ct1*,
ct2*, ct3*, ct4*) εG4 is satisfied.

[0071] If it is determined in step S504 that a component of the partial
data pieces is not an element of a correct group (No in step S504), the
decryption processing ends. On the other hand, if it is determined that
the components of the partial data pieces are members of a correct group
(Yes in step S504), the processing proceeds to step S505. In step S505,
the operation control unit 110 calculates a hash value v=H(ct1*,
ct2*, ct3*) by using ct1*, ct2*, ct3* as input
to a hash function H.

[0072] In the next step S506, the operand generating unit 103 selects one
or more subcomponents from the finite field F.sub.(p m)3 or the
finite field FPx, and determines a multiplier k in which the
remaining subcomponents are zero elements. In the next step S507, the
converting section 111 performs conversion of the representation by using
the determined multiplier k. In this process, if the input data are in
the affine representation, the affine representation is converted into
the projective representation. On the other hand, if the input data are
in the projective representation, the conversion of the representation is
not performed. More specifically, the converting section 111 multiplies
all the subcomponents of the projective representation by the multiplier
k.

[0073] In the multiplication by the multiplier k in step S507, the
arithmetic operations relating to the zero elements of the multiplier k
are not performed. For example, in step S506, the finite field F.sub.(p
m) is selected as subcomponents of the multiplier k, one of the
subcomponents is generated by the operand generating unit 103, and the
remaining subcomponents are set to zero elements. In this case, the cost
for calculating (kα, kβ) in step S507 corresponds to six times
of the multiplication for the finite field F.sub.(p m). This is about 1/3
as compared to the calculation cost in the case where calculation
corresponding to twice of the multiplication of the finite field F.sub.(p
m) 3 is performed in an artless manner.

[0074] Alternatively, for example, the finite field Fp is selected as
the multiplier k, one of the subcomponents is generated by the operand
generating unit 103, and the remaining subcomponents are set to zero
elements in step S506. In this case, the cost for calculating (kα,
kβ) in step S507 corresponds to 6 m times of the multiplication for
the finite field Fp. This is about 1/(3 m) as compared to the
calculation cost in the case where calculation corresponding to twice of
the multiplication of the finite field F.sub.(p m) 3 is performed in an
artless manner.

[0075] As described above, the subcomponents of the operand (in this case,
the multiplier) may be members of either of the finite field F.sub.(p m)
and the finite field Fp, and only need to constitute the same
structure as the first representation (in this case, the projective
representation) by including the plurality of subcomponents.

[0076] The example of the calculation of (kα, kβ) in step S507
will be described in more detail using the expression (22) described
above as an example. In the expression (22), an element (before the
multiplication sign "x") having a coefficient aij is represented by
α or β and an element (after the multiplication sign "x")
having a coefficient bij is the multiplier k. The operand generating
unit 103 sets z in the multiplier k to 0, for example, to generate only a
coefficient a00 as a subcomponent and sets the remaining
subcomponents to zero elements. The multiplication is not performed for
the subcomponents that are zero elements. As a result, the calculation of
(kα, kβ) includes only 6 m times of the multiplication of the
finite field Fp and the calculation cost is about 1/(3 m) as
compared to that in the case where calculation corresponding to twice of
the multiplication of the finite field F.sub.(p m) 3 is performed in an
artless manner.

[0077] In addition, in generating the multiplier k by using a random
number, the multiplier k and the random number can be associated as
follows. When the multiplier k is constituted by an element of the finite
field Fp mx and two zero elements as described above, the
finite field Fp mx can be expressed by a vector having m
elements. Therefore, the operand generating unit 103 is configured to
generate a random number having any value from 1 to (pm-1). Then,
values of the respective digits when the generated random number is
expressed by a p-adic number of m digits are associated with
subcomponents of the multiplier k that are elements of the vector. As a
result, it is possible to associate the generated random number with
(pm-1) different multipliers k.

[0078] Furthermore, when the multiplier k is constituted by elements of
FPx and p.sup.(3m-1) zero elements, the operand generating unit
103 is configured to generate a random number that is any value from 1 to
(p-1). Then, values of respective digits of the generated random number
in p-adic number of m digits are associated with subcomponents of the
multiplier k that are the elements of the vector. As a result, the
generated random number can be associated with (p-1) different
multipliers k.

[0079] Note that the method for associating the random number and the
multipliers k is not limited thereto, and any method capable of selecting
any of a plurality of multipliers k depending on the random number can be
applied.

[0080] Still further, in step S506, the operand generating unit 103 is not
limited to generating the multipliers k by using a random number, and may
alternatively hold a multiplier table in which a plurality of multipliers
k are registered in advance and sequentially use the multipliers k
registered in the multiplier table.

[0081] In the next step S508, the converting section 111 converts
ct1*, ct2* expressed in the affine representation into
ct1', ct2' in the projective representation by using the
selected multiplier k, and outputs the converted data. In addition, the
arithmetic processing section 112 performs exponentiation calculation
K'=ct1'.sup.(x1+y1v)ct2'.sup.(x2+y2v) by using a hash value v,
ct1' and ct2' in the projective representation, and x1,
x2, y1, y2 out of the secret key data (step S509). Then,
the converting section 111 converts the variable K' expressed in the
projective representation into a variable K* in the affine representation
(step S510).

[0082] In the next step S511, the determining section 113 determines
whether or not the variable K* and ct4* out of the components of the
input encrypted data are coincident. Note that it only needs to confirm
that the variable K* and ct4* are equivalent in step S511. It may
therefore be configured to convert the variable K' in the projective
representation into a variable K in the extension field representation
instead of the variable K* in the affine representation, and confirm that
the variable K and ct4* are coincident.

[0083] If it is determined in step S511 that the variable K* and ct4*
are not coincident (No in step S511), the decryption processing ends. On
the other hand, if it is determined that the variable K* and ct4*
are coincident (Yes in step S511), the converting section 111 converts
ct3* expressed in the affine representation into ct3' in the
projective representation (step S512). In the next step S513, the
arithmetic processing section 112 performs exponentiation calculation
b'=ct1'.sup.z1ct2'z2 by using ct1' and ct2' and
z1 and z2 out of the secret key data.

[0084] In the next step S514, the arithmetic processing section 112
calculates decrypted data m'=ct3'b'-1 corresponding to partial
data pieces expressed in the projective representation by using ct3'
obtained by the conversion and the calculated b'. Next, the converting
section 111 converts the decrypted data m' into plain data m* expressed
in the affine representation (step S515).

[0085] In the next step S516, the operation control unit 110 determines
whether or not all the partial data pieces are processed. If it is
determined that all the partial data pieces are not processed (No in step
S516), the processing returns to step S503 where a next unprocessed
partial data piece is obtained, and the subsequent processes are
repeated.

[0086] On the other hand, if it is determined in step S516 that all the
partial data pieces are processed (Yes in step S516), the processing
proceeds to step S517. In step S517, the arithmetic processing section
112 calculates plain data resulting from combining the decrypted data m'
corresponding to the partial data pieces, and ends the decryption
processing.

[0087] As described above, the decryption device according to the
embodiment converts the affine representation into the projective
representation while reducing the cost for the conversion by providing
the multiplier k to be used for converting the affine representation into
the projective representation so that one or more subcomponents thereof
are zero elements and not performing calculation for the part of
calculation where the subcomponents are zero elements. In addition, the
decryption device performs arithmetic operations for the decryption
processing by using the projective representation resulting from the
conversion. As a result, it is possible to increase the randomness of the
arithmetic processing using secret information while reducing the amount
of calculation and enhance the security.

[0088] Note that there are concepts other than algebraic tori that are
substantially the same as those of the affine representation and the
projective representation in algebraic tori. For example, in the case of
elliptic curves, such concepts are present in the forms of affine
coordinates and projective coordinates. Thus, the present invention is
not limited to the concepts of algebraic torus but may be applied to
elliptic curve cryptosystems and the like.

[0089] Next, a hardware configuration of the decryption device according
to the embodiment will be described with reference to FIG. 5. FIG. 5 is
an explanatory diagram illustrating a hardware configuration of the
decryption device according to the embodiment.

[0090] The decryption device according to the embodiment include a control
unit such as a central processing unit (CPU) 51, a storage unit such as a
read only memory (ROM) 52 and a RAM 53, a communication interface 54
connected to a network for communication, and a bus 61 connecting the
respective components.

[0091] Decryption programs to be executed by the decryption device
according to the embodiment are embedded in the ROM 52 in advance and
provided therefrom. Alternatively, the decryption programs to be executed
by the decryption device according to the embodiment may be recorded on a
computer-readable recording medium such as a compact disk read only
memory (CD-ROM), a flexible disk (FD), a compact disk recordable (CD-R),
a digital versatile disk (DVD) and the like in the form of a file that
can be installed or executed, and provided therefrom.

[0092] Still alternatively, the decryption programs to be executed by the
decryption device according to the embodiment may be stored on a computer
system connected to a network such as the Internet, and provided by being
downloaded via the network. In addition, the decryption programs to be
executed by the decryption device according to the embodiment be provided
or distributed via a network such as the Internet.

[0093] The decryption programs to be executed by the decryption device
according to the embodiment has a modular configuration including the
units (the input unit 101, the dividing unit 102, the operand generating
unit 103, and the operation control unit 110) described above, and in an
actual hardware configuration, the CPU 51 reads the decrypting programs
from the ROM 52 and executes the programs and, as a result, the
respective units are loaded on a main storage unit and generated thereon.

[0094] While certain embodiments have been described, these embodiments
have been presented by way of example only, and are not intended to limit
the scope of the inventions. Indeed, the novel embodiments described
herein may be embodied in a variety of other forms; furthermore, various
omissions, substitutions and changes in the form of the embodiments
described herein may be made without departing from the spirit of the
inventions. The accompanying claims and their equivalents are intended to
cover such forms or modifications as would fall within the scope and
spirit of the inventions.